使用AWS re:Post即您表示您同意 AWS re:Post 使用条款
AWS re:Postre:Post

User attributes / PrincipalTag propagation time

0

Tl;dr: How long does it take for IAM Identity Management user attribute changes to propagate?

Hi there!

I set up a policy so that users, whose Division attribute matches a Tag "Division" on an instance, shall be able to start/stop it. This is working, but I noticed that my test user still can manage the instance even after I changed the Division attribute, and the policy condition should fail. Does anyone know why there is a delay, how long that can be, and what I can do to get the "real" value, not what it has been before?

I am asking because all the docs I found said that such changes were more or less instantaneous. But I have spent quite some time on this, debugging, trying to figure out why my test policy did not work, talking to ChatGPT for hours and trying all the suggestions (some rather good ones actually), wondering what kind of stupid mistake I am doing all the time. I learnt about the IAM Policy Simulator that way, and there it was working. So why not in real life?

A problem with the policy simulator is that I cannot pick my test user as that comes from IAM Identity Management, not IAM - the test user shows up as assumed-role/AWSReservedSSO_DevTeamMemberAccess_xxx/testuser", but not in the policy simulator. There I can only select the AWSReservedSSO_DevTeamMemberAccess_xxx role, but that itself does not have a Division. However, the simulator detects that I am comparing "aws:PrincipalTag/Division" and offers to fill the values. When I fill the values as the test user has them set, all is working. And also in reality, unless I change the Dision. Then it takes a while. Even signing out and in again does not seem to help here reliably.

Best regards, Alex

FYI, this is the policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AlexTestPolicy",
            "Effect": "Allow",
            "Action": [
                "ec2:StartInstances"
            ],
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "aws:PrincipalTag/Division": "*${ec2:ResourceTag/Division}*"
                }
            }
        }
    ]
}
主题
安全、身份和合规性
标签
AWS 身份和访问权限管理IAM 策略
语言
English
profile picture
AleXONIVY
已提问 1 个月前113 查看次数
1 回答
0

Hi, The policy you used gives users with the same division type access to start the instances. this however doesn't imply that only they can do the actions. Therefore, assuming your user still has ec2:StartInstances or ec2:* to resources:*, you won't be revoked of that access.

Since it is evident that you are using AWS Organizations, I recommend using Custom Service Control Policies instead.

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

Gab
已回答 1 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则

相关内容